[go: up one dir, main page]

US12041444B2 - Authentication using wireless sensing - Google Patents

Authentication using wireless sensing Download PDF

Info

Publication number
US12041444B2
US12041444B2 US17/446,839 US202117446839A US12041444B2 US 12041444 B2 US12041444 B2 US 12041444B2 US 202117446839 A US202117446839 A US 202117446839A US 12041444 B2 US12041444 B2 US 12041444B2
Authority
US
United States
Prior art keywords
wireless
information
authentication
sensing
end point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US17/446,839
Other versions
US20220078610A1 (en
Inventor
Michael Peter Montemurro
James Randolph Winter Lepp
Stephen McCann
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BlackBerry Ltd
Original Assignee
BlackBerry Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BlackBerry Ltd filed Critical BlackBerry Ltd
Priority to US17/446,839 priority Critical patent/US12041444B2/en
Priority to CA3130056A priority patent/CA3130056A1/en
Priority to CN202111057737.3A priority patent/CN114258021A/en
Priority to EP21196115.6A priority patent/EP3968682A1/en
Assigned to BLACKBERRY LIMITED reassignment BLACKBERRY LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BLACKBERRY UK LIMITED
Assigned to BLACKBERRY LIMITED reassignment BLACKBERRY LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MONTEMURRO, MICHAEL PETER, LEPP, JAMES RANDOLPH WINTER
Assigned to BLACKBERRY UK LIMITED reassignment BLACKBERRY UK LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCCANN, STEPHEN
Publication of US20220078610A1 publication Critical patent/US20220078610A1/en
Priority to US18/757,913 priority patent/US20240349051A1/en
Publication of US12041444B2 publication Critical patent/US12041444B2/en
Application granted granted Critical
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/79Radio fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/65Environment-dependent, e.g. using captured environmental data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/66Trust-dependent, e.g. using trust scores or trust relationships
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/68Gesture-dependent or behaviour-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/38Services specially adapted for particular environments, situations or purposes for collecting sensor information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/065Continuous authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • a user can use an electronic device to perform various tasks, including tasks at the electronic device or tasks that involve accessing a remote site (e.g., a website, an application server, a database server, a storage server, etc.).
  • a remote site e.g., a website, an application server, a database server, a storage server, etc.
  • the user can be authenticated before access of the electronic device is granted to the user.
  • Examples of such authentication include an authentication based on receipt of a user credential (e.g., a user identifier and password, a certificate, a token, etc.), an authentication based on receipt of biometric information from a biometric reader (e.g., a fingerprint reader, an iris scanner, a camera, etc.), and so forth.
  • a biometric reader e.g., a fingerprint reader, an iris scanner, a camera, etc.
  • FIG. 1 is a block diagram of an example arrangement including a Zero Trust system, an end point device, a wireless node, and a target object, according to some implementations of the present disclosure.
  • FIG. 4 is a block diagram of a system according to some examples.
  • Zero Trust is a security term stating that no entity should be trusted. When applied to information and communications technology, this means that every connection to a specific device or network (both internal and external) should be verified (authenticated). Verification can range from an initial verification when a connection is established or verification performed on a continuous basis.
  • a benefit of Zero Trust is that a network that has been previously secured behind a perimeter fence (e.g., a virtual private network or VPN) can dispense with having to set up the VPN connection and authenticate directly with servers or services both on premises and in the cloud.
  • a perimeter fence e.g., a virtual private network or VPN
  • DISA Defense Information Systems Agency
  • An end point device can include a smartphone, a desktop computer, a notebook computer, a tablet computer, a vehicle, or another electronic device.
  • An example of a security hardware is a biometric reader that can be included in the end point device or connected over a link (wired link or wireless link) to the end point device.
  • a biometric reader can include a fingerprint reader, an iris scanner, a camera, and so forth.
  • Another example of a security hardware is a proximity sensor to detect a proximity of a user (or users) to an end point device.
  • Adding security hardware to an end point device to support multi-factor authentication can add to the overall cost of the end point device.
  • a biometric reader, a proximity sensor, or other security hardware may work properly only when the end point device is oriented in a certain way with respect to a user (e.g., a camera has to face a user, a biometric reader has to be oriented so that the pertinent part of the user can be captured, etc.). If the security hardware does not have the proper orientation, then the security hardware may not operate properly.
  • an end point device using Zero Trust security does not have a standardized interface between a security end point application and a wireless sensor, which can provide biometric information based on the end point device's environment.
  • the standardized interface can be used for starting, stopping, and continuous monitoring of an environment of an end point device using a wireless sensor.
  • the Zero Trust system 104 can be separate from the end point device 102 , but is connected to the end point device 102 over a link 106 .
  • the link 106 can be a wired link or a wireless link.
  • the Zero Trust system 104 can be part of a cloud, a server, and so forth.
  • the Zero Trust system 104 can be part of the end point device 102 .
  • the Zero Trust system 104 can include a program executable in the end point device 102 .
  • the environment in which the end point device 102 is located includes a wireless node 108 .
  • the wireless node 108 can include an access point (AP).
  • An AP is a wireless access network node that allows an electronic device to establish a connection with the AP to perform communications over the WLAN.
  • wireless nodes can be employed, including a wireless node that is part of a cellular access network (e.g., a fifth generation or 5G cellular network, a fourth generation or 4G cellular network, etc.), a wireless node that performs communications using BLUETOOTH signals, a wireless node that performs communications using ZIGBEE signals, a wireless node that performs communications using Dedicated Short Range Communications (DSRC) signals, and so forth.
  • a wireless node that is part of a cellular access network e.g., a fifth generation or 5G cellular network, a fourth generation or 4G cellular network, etc.
  • BLUETOOTH signals e.g., a wireless node that performs communications using BLUETOOTH signals
  • ZIGBEE signals e.g., ZIGBEE signals
  • DSRC Dedicated Short Range Communications
  • a “wireless node” can refer to any electronic device that is able to perform wireless communications. Although the wireless node 108 is shown as being outside of the end point device 102 , in other examples, the wireless node 108 can be part of the end point device 102 . For example, the wireless node 108 can include a WLAN controller (or another type of network interface controller) within the end point device.
  • a WLAN controller or another type of network interface controller
  • the wireless node 108 (or multiple wireless nodes 108 ) can be used as wireless sensors to perform wireless sensing 112 of a target object 114 .
  • the target object 114 can be a user or a group of users. In other examples, the target object 114 can be a different physical object that is to be authenticated before access is granted of the end point device 102 . The authentication is based on the wireless sensing 112 performed by the wireless node(s) 108 .
  • the wireless node 108 can provide two roles: 1) support communications between an end point device (e.g., 102 ) and a network, such as a WLAN or another type of network, and 2) perform wireless sensing of the target object 114 for authenticating the target object 114 .
  • the standardized interface 110 can be between the internal wireless node 108 and another entity (e.g., a program or a hardware device) in the end point device 102 .
  • a wireless sensing system including the wireless node 108 (or multiple wireless nodes 108 ), zero or more wireless stations (STAs), sensing protocols that govern wireless transmissions and wireless receptions, and so forth, can be used to perform authentication, such as Zero Trust authentication.
  • the wireless sensing system can leverage use of an AP, a WLAN controller, or any other type of wireless node that is already present in an environment in which the end point device 102 is located.
  • Information from the wireless sensing system is used to provide environmental data input to a Zero Trust system 104 through the standardized interface 110 .
  • the wireless sensor (implemented with the wireless node 108 ) provides data to the end point device 102 about the local radio environment.
  • the wireless sensor can provide an extra source of biometric information to the end point device 102 .
  • the wireless node 108 e.g., an AP that is able to perform radio communications
  • the wireless sensor can act as a single source for authorization/deauthorization and other operations in the Zero Trust system 104 , or can be one of multiple factors used in a security algorithm.
  • the Zero Trust system 104 can build up a pattern of wireless sensor information collected using one or more wireless nodes 108 .
  • the pattern of wireless sensor information can be compared against a security threshold, which could then trigger re-authentication or can be used to determine no authentication is required (e.g., for simple IoT devices).
  • the pattern of wireless sensor information can be used to recognize a regular user of the end point device 102 , detect that a user has moved away from the end point device 102 for greater than a specified amount of time, and so forth.
  • an existing wireless system e.g., a WLAN system, a BLUETOOTH system, etc.
  • an existing wireless system e.g., a WLAN system, a BLUETOOTH system, etc.
  • an existing wireless system e.g., a WLAN system, a BLUETOOTH system, etc.
  • can operate in a wireless sensing mode through the standardized interface 110 ), such as when the Zero Trust system 104 requests to perform a radio environment check.
  • a key press may allow the Zero Trust system 104 to activate the WLAN radio (e.g., of the AP or a WLAN controller) as a wireless sensor for a time duration to determine the biometrics of a user. This information is then fed back into the Zero Trust system 104 to determine if the user is allowed to utilize the end point device 102 .
  • the WLAN radio e.g., of the AP or a WLAN controller
  • the sense indication is sent (at 204 ) by the Zero Trust system 104 to the end point device 102 , which sends (at 206 ) the sense indication to the wireless node 108 through the standardized interface 110 (e.g., an API).
  • the standardized interface 110 e.g., an API
  • the sense indication is sent on a periodic basis by the Zero Trust system 104 . In other examples, the sense indication is sent by the Zero Trust system 104 in response to a different event.
  • the wireless node 108 performs wireless sensing (at 208 ), such as by transmitting wireless signals and receiving wireless signals.
  • the transmitted wireless signals may be affected by the target object 114 in the environment 202 .
  • the target object 114 may absorb wireless signals and/or reflect wireless signals in various directions.
  • the wireless node 108 can collect information that is based on how wireless signals are affected (absorbed and/or reflected) by the target object 114 .
  • WLAN communications use wireless signals of relatively short wavelengths (e.g., corresponding to 2.4 gigahertz (GHz) to 5 GHz).
  • the WLAN signals can be used as radar signals, and transmitted WLAN signals can be compared to returned WLAN signals (as affected by the target object 114 ) to determine characteristics of a physical environment around the wireless node 108 .
  • the IEEE 802.11 bf amendment enables WLAN sensing measurements to be obtained using transmissions that are requested, unsolicited, or both.
  • MAC Medium Access Control
  • Measurement information acquired by the wireless node 108 based on the wireless sensing is sent (at 210 ) by the wireless node 108 to the end point device 102 through the standardized interface 110 (e.g., an API).
  • the end point device 102 then sends (at 212 ) the measurement information to the Zero Trust system 104 .
  • the Zero Trust system 104 creates a security update message based on the measurement information received by the Zero Trust system 104 from the end point device 102 .
  • the Zero Trust system 104 sends (at 214 ) the security update message to the end point device 102 .
  • the security update message can cause the end point device 102 to perform a security action, e.g., allow access of the end point device 102 by the target object 114 based on the security update message indicating that the target object 114 has been authenticated in response to the measurement information.
  • the security update message can be in the form of security information that indicates whether or not authentication of the target object 114 was successful.
  • the end point device 102 may be able to assess itself, by determining whether a security update is to be performed based on the measurement information.
  • FIG. 2 refers to an example in which a security check is initiated by the Zero Trust system 104 , either periodically or in response to an event.
  • FIG. 3 shows another example in which passive sensing is used.
  • the wireless node 108 performs passive wireless sensing (at 302 ) of the environment 202 .
  • the wireless node 108 may be in a passive listen mode.
  • the passive wireless sensing is performed by the wireless node 108 without being requested by the Zero Trust system 104 (or another authentication system).
  • the passive wireless sensing can be based on analyzing characteristics of wireless signals that are used as part of normal data or control communications.
  • the Zero Trust system 104 can initiate a re-check of the environment 202 , using messaging 308 , 310 , 312 , 314 , 316 , and 318 , which are similar to messaging 204 , 206 , 208 , 210 , 212 , and 214 of FIG. 2 .
  • a new use case and requirements for “Wi-Fi Sensing for Zero Trust” are added to the features of the IEEE 802.11 bf amendment.
  • the MAC/SME (station management entity) layer of the 802.11 bf amendment can be updated to provide frames and an API to allow Zero Trust applications within a WLAN device (or network to which WLAN devices are attached) to request the transmission and reception of WLAN sensing communications.
  • API standards are developed (e.g., open standards) for Zero Trust networks and systems, then an interface to the lower level 802.11 MAC layer may be developed in 802.11.
  • WLAN sensing devices may also be possible for WLAN sensing devices to store (cache) previous sensing measurements and for this information to also be accessible to Zero Trust applications.
  • Two modes of operation may be provided: a continuous mode, and a scheduled or on-demand mode.
  • a continuous mode an end point device is continually monitored for Zero Trust security (e.g., the end point device is being used in public) and so sensing continuously operates.
  • sensing is scheduled to operate for a short period on a scheduled basis to re-check the Zero Trust status.
  • the Zero Trust system may explicitly send a command to the end point device to perform sensing.
  • the wireless sensing system can be used to determine whether there is an environmental emergency in a space.
  • the output of the wireless sensing system can be fed into a crisis communications system, which can send a notification of the emergency. This can lead to mass notifications and situational awareness.
  • the wireless sensing system can be used to detect health issues with a user, such as the regular user of an end point device. Deviations from historical movement patterns of a user may be indicative of a health issue, such as a concussion, a muscle injury, a bone injury, a stroke, a change in heart function, and so forth.
  • the wireless sensing system can monitor for a change in a user's movement pattern, and can inform the user to seek assessment from a medical professional.
  • the Zero Trust system continues to operate despite the change in the user's behavior.
  • the authentication performed by the Zero Trust system can have multiple factors. One way to have more than one factor is that the single WLAN-based sensing system measures more than one biometric feature.
  • WLAN sensing information e.g., according to IEEE 802.11 bf
  • other information from WLAN systems may also contribute to a Zero Trust solution.
  • other information include antenna and power characteristics (a range of power of signals from the antenna, a range of frequencies of the antenna, etc.), which can provide a fingerprint of very precise manufacturing differences between individual devices.
  • Authentication of the target object 114 e.g., a user, an electronic device, etc.
  • the other information can include a history of Service Set Identifier (SSID) and MAC address use and how often they change (this is another example of a fingerprint).
  • the historical information including SSID and MAC address use (and their frequency of change) can be compared to a current SSID and MAC address use, and a deviation may indicate that the target object 114 should not be authenticated.
  • the other information can include how many users use a same end point device. Historical information can be stored regarding a quantity of users that have previously used the end point device, and a current quantity of users using the end point device can be compared to the historical quantity of users-a deviation in the quantities can indicate that the target object 114 should not be authenticated.
  • the foregoing additional information can be used as factors in a multi-factor authentication system at a server. These can also be used as factors in an end point detection and response (EDR) system embedded within end point devices.
  • EDR end point detection and response
  • the system 400 further includes a non-transitory machine-readable or computer-readable storage medium 404 storing wireless sensing monitoring machine-readable instructions 406 executable on the one or more hardware processors 402 to perform various tasks.
  • the wireless sensing monitoring machine-readable instructions 406 are executable to receive information based on wireless sensing performed using wireless signals of a wireless interface of a wireless node (e.g., 108 in FIG. 1 ).
  • the wireless interface e.g., a radio interface, such as a WLAN radio interface, a cellular radio interface, a BLUETOOTH interface, etc.
  • the wireless node communicates data over a wireless connection established with another wireless device.
  • the wireless sensing monitoring machine-readable instructions 406 are executable to perform authentication in response to the received information.
  • the information includes biometric information of a user, and the authentication relates to the user based on the biometric information.
  • the wireless sensing monitoring machine-readable instructions 406 are executable to store a pattern of wireless sensing information, and initiate a process to perform the authentication based on the pattern of wireless sensing information.
  • the pattern of wireless sensing information is based on a motion of a user.
  • the pattern of wireless sensing information is based on a biometric feature (e.g., face, eyes, and/or other physical features) of a user.
  • the example implementations may remove the need for a user to manually enter their credentials for electronic device use, such as when the user has been separated from the electronic device for a short time.
  • the electronic device may be able to power down when a user is not detected.
  • the example implementations may improve the strength of security when an electronic device is moving between different network types (e.g., wired to wireless, a cellular network to a WLAN). Additional security checks can be made when a user is entering a banking or payment application on a device.
  • network types e.g., wired to wireless, a cellular network to a WLAN.
  • the proposed system can be used to enable basic presence detection without additional hardware and physical design complexity to add such hardware sensors to the front of a device.
  • the system can also be used to add more complex presence detection such as identifying a user without expensive high definition camera and other hardware.
  • the system also enables more flexibility in the product design because the WLAN or other wireless sensing antennas can be inside the device and work regardless of device orientation, while presence sensors and cameras have to be mounted on the front of a product and pointed at the user at a specific angle.
  • a storage medium can include any or some combination of the following: a semiconductor memory device such as a dynamic or static random access memory (a DRAM or SRAM), an erasable and programmable read-only memory (EPROM), an electrically erasable and programmable read-only memory (EEPROM) and flash memory or other type of non-volatile memory device; a magnetic disk such as a fixed, floppy and removable disk; another magnetic medium including tape; an optical medium such as a compact disk (CD) or a digital video disk (DVD); or another type of storage device.
  • a semiconductor memory device such as a dynamic or static random access memory (a DRAM or SRAM), an erasable and programmable read-only memory (EPROM), an electrically erasable and programmable read-only memory (EEPROM) and flash memory or other type of non-volatile memory device
  • a magnetic disk such as a fixed, floppy and removable disk
  • another magnetic medium including tape an optical medium such as a compact disk (CD) or a
  • the instructions discussed above can be provided on one computer-readable or machine-readable storage medium, or alternatively, can be provided on multiple computer-readable or machine-readable storage media distributed in a large system having possibly plural nodes.
  • Such computer-readable or machine-readable storage medium or media is (are) considered to be part of an article (or article of manufacture).
  • An article or article of manufacture can refer to any manufactured single component or multiple components.
  • the storage medium or media can be located either in the machine running the machine-readable instructions, or located at a remote site from which machine-readable instructions can be downloaded over a network for execution.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Animal Behavior & Ethology (AREA)
  • General Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • Social Psychology (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

In some examples, a system receives information based on wireless sensing performed using wireless signals of a wireless interface of a wireless node, the wireless interface of the wireless node to communicate data over a wireless connection established with another wireless device. The system performs authentication in response to the received information.

Description

CROSS REFERENCE TO RELATED APPLICATION
This application claims the benefit under 35 U.S.C. § 119(e) of U.S. Provisional Application Ser. No. 63/076,749, filed Sep. 10, 2020, which is hereby incorporated by reference.
BACKGROUND
A user can use an electronic device to perform various tasks, including tasks at the electronic device or tasks that involve accessing a remote site (e.g., a website, an application server, a database server, a storage server, etc.). For security, the user can be authenticated before access of the electronic device is granted to the user. Examples of such authentication include an authentication based on receipt of a user credential (e.g., a user identifier and password, a certificate, a token, etc.), an authentication based on receipt of biometric information from a biometric reader (e.g., a fingerprint reader, an iris scanner, a camera, etc.), and so forth.
BRIEF DESCRIPTION OF THE DRAWINGS
Some implementations of the present disclosure are described with respect to the following figures.
FIG. 1 is a block diagram of an example arrangement including a Zero Trust system, an end point device, a wireless node, and a target object, according to some implementations of the present disclosure.
FIGS. 2 and 3 are message flow diagrams of security check processes, according to some examples.
FIG. 4 is a block diagram of a system according to some examples.
Throughout the drawings, identical reference numbers designate similar, but not necessarily identical, elements. The figures are not necessarily to scale, and the size of some parts may be exaggerated to more clearly illustrate the example shown. Moreover, the drawings provide examples and/or implementations consistent with the description; however, the description is not limited to the examples and/or implementations provided in the drawings.
DETAILED DESCRIPTION
In the present disclosure, use of the term “a,” “an,” or “the” is intended to include the plural forms as well, unless the context clearly indicates otherwise. Also, the term “includes,” “including,” “comprises,” “comprising,” “have,” or “having” when used in this disclosure specifies the presence of the stated elements, but do not preclude the presence or addition of other elements.
1. BACKGROUND
Zero Trust is a security term stating that no entity should be trusted. When applied to information and communications technology, this means that every connection to a specific device or network (both internal and external) should be verified (authenticated). Verification can range from an initial verification when a connection is established or verification performed on a continuous basis.
A benefit of Zero Trust is that a network that has been previously secured behind a perimeter fence (e.g., a virtual private network or VPN) can dispense with having to set up the VPN connection and authenticate directly with servers or services both on premises and in the cloud.
In addition, Zero Trust enables traditional firewalls to be moved to a specific device or network that requires security. In turn, this has the benefit of allowing various security levels to be applied to these devices or networks on a more individual basis.
The Defense Information Systems Agency (DISA) has established some Zero Trust principles, as described in “A Perspective: Zero Trust Concepts & Terminology,” Nov. 13, 2019:
    • Never Trust, Always Verify—All users and devices are treated as untrusted. Every device, user, application workload, or data flow is authenticated and explicitly authorized to the least privilege required using dynamic security policies.
    • Assume Breach—Consciously operate and defend resources with the assumption that an adversary has a presence within an environment. Deny by default, heavily scrutinize requests for access, users, devices and data flows. All traffic is logged and inspected.
    • Verify Explicitly—All resources are consistently accessed in a secure manner using multiple attributes (dynamic and static) to derive confidence levels for contextual access to resources.
2. Issues
To perform multi-factor authentication at an end point device, security hardware may have to be added to the end point device in some examples. An end point device can include a smartphone, a desktop computer, a notebook computer, a tablet computer, a vehicle, or another electronic device. An example of a security hardware is a biometric reader that can be included in the end point device or connected over a link (wired link or wireless link) to the end point device. A biometric reader can include a fingerprint reader, an iris scanner, a camera, and so forth. Another example of a security hardware is a proximity sensor to detect a proximity of a user (or users) to an end point device.
Adding security hardware to an end point device to support multi-factor authentication can add to the overall cost of the end point device. Moreover, a biometric reader, a proximity sensor, or other security hardware may work properly only when the end point device is oriented in a certain way with respect to a user (e.g., a camera has to face a user, a biometric reader has to be oriented so that the pertinent part of the user can be captured, etc.). If the security hardware does not have the proper orientation, then the security hardware may not operate properly.
In addition, an end point device using Zero Trust security does not have a standardized interface between a security end point application and a wireless sensor, which can provide biometric information based on the end point device's environment. The standardized interface can be used for starting, stopping, and continuous monitoring of an environment of an end point device using a wireless sensor.
3. Example Implementations 3.1 Implementation 1: Zero Trust and Wireless Sensors
In accordance with some implementations of the present disclosure, instead of adding security hardware to perform authentication, such as Zero Trust authentication, multi-factor authentication or any other type of authentication, wireless sensors that are already present in an environment in which an end point device is located can be used for capturing features of a user or other object to be authenticated.
FIG. 1 is a block diagram of an example arrangement that includes an end point device 102 connected to a Zero Trust system 104 used to perform Zero Trust authentication. Although reference is made to a Zero Trust system, it is noted that in other examples, other systems that perform authentication can be employed.
The Zero Trust system 104 can be separate from the end point device 102, but is connected to the end point device 102 over a link 106. The link 106 can be a wired link or a wireless link. For example, the Zero Trust system 104 can be part of a cloud, a server, and so forth. Alternatively, the Zero Trust system 104 can be part of the end point device 102. In such latter examples, the Zero Trust system 104 can include a program executable in the end point device 102.
The environment in which the end point device 102 is located includes a wireless node 108. For example, if the environment includes a wireless local area network (WLAN), then the wireless node 108 can include an access point (AP). An AP is a wireless access network node that allows an electronic device to establish a connection with the AP to perform communications over the WLAN.
In other examples, other types of wireless nodes can be employed, including a wireless node that is part of a cellular access network (e.g., a fifth generation or 5G cellular network, a fourth generation or 4G cellular network, etc.), a wireless node that performs communications using BLUETOOTH signals, a wireless node that performs communications using ZIGBEE signals, a wireless node that performs communications using Dedicated Short Range Communications (DSRC) signals, and so forth.
A “wireless node” can refer to any electronic device that is able to perform wireless communications. Although the wireless node 108 is shown as being outside of the end point device 102, in other examples, the wireless node 108 can be part of the end point device 102. For example, the wireless node 108 can include a WLAN controller (or another type of network interface controller) within the end point device.
The wireless node 108 (or multiple wireless nodes 108) can be used as wireless sensors to perform wireless sensing 112 of a target object 114. The target object 114 can be a user or a group of users. In other examples, the target object 114 can be a different physical object that is to be authenticated before access is granted of the end point device 102. The authentication is based on the wireless sensing 112 performed by the wireless node(s) 108.
In accordance with some implementations of the present disclosure, the wireless node 108 can provide two roles: 1) support communications between an end point device (e.g., 102) and a network, such as a WLAN or another type of network, and 2) perform wireless sensing of the target object 114 for authenticating the target object 114.
In some implementations, a standardized interface 110 is provided between the end point device 102 and the wireless node 108. For example, the standardized interface can include an application programming interface (API), which includes various routines that are invokable to perform corresponding tasks. In other examples, other types of standardized interfaces can be employed. A “standardized” interface can refer to an interface providing functionalities that entities (such as the end point device 102 and the wireless node 108) can be configured to employ for purposes of performing authentication. For example, the standardized interface 110 can be used by the end point device to initiate an authentication process. The standardized interface 110 can be used by the wireless node 108 to provide information representing wireless sensing of the target object 114 to the end point device 102.
In examples where the wireless node 108 is included inside the end point device 102, the standardized interface 110 can be between the internal wireless node 108 and another entity (e.g., a program or a hardware device) in the end point device 102.
In accordance with some implementations of the present disclosure, a wireless sensing system including the wireless node 108 (or multiple wireless nodes 108), zero or more wireless stations (STAs), sensing protocols that govern wireless transmissions and wireless receptions, and so forth, can be used to perform authentication, such as Zero Trust authentication. The wireless sensing system can leverage use of an AP, a WLAN controller, or any other type of wireless node that is already present in an environment in which the end point device 102 is located.
Information from the wireless sensing system is used to provide environmental data input to a Zero Trust system 104 through the standardized interface 110. For example, through the standardized interface 110, the wireless sensor (implemented with the wireless node 108) provides data to the end point device 102 about the local radio environment. The wireless sensor can provide an extra source of biometric information to the end point device 102. For example, the wireless node 108 (e.g., an AP that is able to perform radio communications) can act as a short range high resolution radar. The wireless sensor can act as a single source for authorization/deauthorization and other operations in the Zero Trust system 104, or can be one of multiple factors used in a security algorithm.
When a user or object is present, this can be determined by the end point device 102 and the information is fed into the Zero Trust system 104.
In some examples, the Zero Trust system 104 can build up a pattern of wireless sensor information collected using one or more wireless nodes 108. The pattern of wireless sensor information can be compared against a security threshold, which could then trigger re-authentication or can be used to determine no authentication is required (e.g., for simple IoT devices). In some examples, the pattern of wireless sensor information can be used to recognize a regular user of the end point device 102, detect that a user has moved away from the end point device 102 for greater than a specified amount of time, and so forth. In response to detecting an unauthorized user or that a user has moved away the end point device 102 for greater than a specified amount of time, the Zero Trust system 104 can take a security action, such as locking a display screen of the end point device 102, disabling network access from the end point device 102, and so forth. In other examples, the Zero Trust system 104 can determine an identity of a user by monitoring the user's gait (walking style), a typing pattern via hand motions of the user, the user's heartbeat, and/or by identifying other patterns with the wireless sensor.
In some implementations, an existing wireless system (e.g., a WLAN system, a BLUETOOTH system, etc.) associated with the end point device 102 can operate in a wireless sensing mode (through the standardized interface 110), such as when the Zero Trust system 104 requests to perform a radio environment check. For example, if the end point device 102 has not been used for some time, a key press may allow the Zero Trust system 104 to activate the WLAN radio (e.g., of the AP or a WLAN controller) as a wireless sensor for a time duration to determine the biometrics of a user. This information is then fed back into the Zero Trust system 104 to determine if the user is allowed to utilize the end point device 102.
FIG. 2 shows an example message flow for performing a security check, such as authenticating the target object 114 (e.g., a user) in an environment 202. The Zero Trust system 104 sends (at 204) a sense indication to initiate the security check. The sense indication can be in the form of a message, an information element, and so forth. The sense indication can be a request to perform a security check based on wireless sensing of an environment.
The sense indication is sent (at 204) by the Zero Trust system 104 to the end point device 102, which sends (at 206) the sense indication to the wireless node 108 through the standardized interface 110 (e.g., an API).
In some examples, the sense indication is sent on a periodic basis by the Zero Trust system 104. In other examples, the sense indication is sent by the Zero Trust system 104 in response to a different event.
In response to the sense indication, the wireless node 108 performs wireless sensing (at 208), such as by transmitting wireless signals and receiving wireless signals. For example, the transmitted wireless signals may be affected by the target object 114 in the environment 202.
The target object 114 may absorb wireless signals and/or reflect wireless signals in various directions. The wireless node 108 can collect information that is based on how wireless signals are affected (absorbed and/or reflected) by the target object 114. For example, WLAN communications use wireless signals of relatively short wavelengths (e.g., corresponding to 2.4 gigahertz (GHz) to 5 GHz). The WLAN signals can be used as radar signals, and transmitted WLAN signals can be compared to returned WLAN signals (as affected by the target object 114) to determine characteristics of a physical environment around the wireless node 108.
In some examples, WLAN sensing is being developed in a new amendment (IEEE 802.11 bf) to the IEEE (Institute of Electrical and Electronics Engineers) 802.11 standard. The IEEE 802.11 bf amendment enables stations to perform one or more of the following: inform other stations of their WLAN sensing capabilities, request and set up transmissions that allow for WLAN sensing measurements to be performed, indicate that a transmission can be used for WLAN sensing, and exchange WLAN sensing feedback and information.
The IEEE 802.11 bf amendment enables WLAN sensing measurements to be obtained using transmissions that are requested, unsolicited, or both.
According to the IEEE 802.11 bf amendment, a Medium Access Control (MAC) service interface for layers above the MAC layer can request and retrieve WLAN sensing measurements.
Measurement information acquired by the wireless node 108 based on the wireless sensing is sent (at 210) by the wireless node 108 to the end point device 102 through the standardized interface 110 (e.g., an API). The end point device 102 then sends (at 212) the measurement information to the Zero Trust system 104.
The Zero Trust system 104 creates a security update message based on the measurement information received by the Zero Trust system 104 from the end point device 102. The Zero Trust system 104 sends (at 214) the security update message to the end point device 102. The security update message can cause the end point device 102 to perform a security action, e.g., allow access of the end point device 102 by the target object 114 based on the security update message indicating that the target object 114 has been authenticated in response to the measurement information. More generally, the security update message can be in the form of security information that indicates whether or not authentication of the target object 114 was successful.
In some scenarios, the end point device 102 may be able to assess itself, by determining whether a security update is to be performed based on the measurement information.
FIG. 2 refers to an example in which a security check is initiated by the Zero Trust system 104, either periodically or in response to an event.
FIG. 3 shows another example in which passive sensing is used. In FIG. 3 , the wireless node 108 performs passive wireless sensing (at 302) of the environment 202. For example, the wireless node 108 may be in a passive listen mode. The passive wireless sensing is performed by the wireless node 108 without being requested by the Zero Trust system 104 (or another authentication system). For example, the passive wireless sensing can be based on analyzing characteristics of wireless signals that are used as part of normal data or control communications.
Based on the passive wireless sensing, the wireless node 108 sends (at 304) measurement information to the end point device 102, through the standardized interface 110. The end point device 102 then sends (at 306) the measurement information to the Zero Trust system 104.
In response to the measurement information, the Zero Trust system 104 can initiate a re-check of the environment 202, using messaging 308, 310, 312, 314, 316, and 318, which are similar to messaging 204, 206, 208, 210, 212, and 214 of FIG. 2 .
In some examples, the conditions under which an authentication or de-authentication can be performed include any or some combination of: detecting that a user has moved away from the end point device 102, detecting that the user is in an area that the user is not allowed, detecting that the user has deviated from the user's normal path or behavior, and so forth.
In some examples, a new use case and requirements for “Wi-Fi Sensing for Zero Trust” are added to the features of the IEEE 802.11 bf amendment.
The MAC/SME (station management entity) layer of the 802.11 bf amendment can be updated to provide frames and an API to allow Zero Trust applications within a WLAN device (or network to which WLAN devices are attached) to request the transmission and reception of WLAN sensing communications.
Note: the IEEE 80.11 WLAN Sensing task group project authorization request (SENS PAR) states within its scope “An interface for applications above the MAC to request and obtain WLAN sensing information.” SENS PAR is discussed in IEEE P802.11 bf—“Standard for Information Technology—Telecommunications and Information Exchange Between Systems Local and Metropolitan Area Networks—Specific Requirements—Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment: Enhancements for Wireless Local Area Network (WLAN) Sensing,” previously “802.11 SENS SG Proposed PAR,” IEEE 802.11-19/2103r9, dated March 2020.
If API standards are developed (e.g., open standards) for Zero Trust networks and systems, then an interface to the lower level 802.11 MAC layer may be developed in 802.11.
It may also be possible for WLAN sensing devices to store (cache) previous sensing measurements and for this information to also be accessible to Zero Trust applications.
Two modes of operation may be provided: a continuous mode, and a scheduled or on-demand mode. In the continuous mode, an end point device is continually monitored for Zero Trust security (e.g., the end point device is being used in public) and so sensing continuously operates.
In the scheduled or on-demand mode, sensing is scheduled to operate for a short period on a scheduled basis to re-check the Zero Trust status. Alternatively, the Zero Trust system may explicitly send a command to the end point device to perform sensing.
3.2 Implementation 2: Other SENS Vertical Applications
There are other use cases for WLAN sensing information.
For example, in an emergency use case, the wireless sensing system can be used to determine whether there is an environmental emergency in a space. The output of the wireless sensing system can be fed into a crisis communications system, which can send a notification of the emergency. This can lead to mass notifications and situational awareness.
As another example, in a human health use case: the wireless sensing system can be used to detect health issues with a user, such as the regular user of an end point device. Deviations from historical movement patterns of a user may be indicative of a health issue, such as a concussion, a muscle injury, a bone injury, a stroke, a change in heart function, and so forth.
The wireless sensing system can monitor for a change in a user's movement pattern, and can inform the user to seek assessment from a medical professional. In a further aspect, the Zero Trust system continues to operate despite the change in the user's behavior. The authentication performed by the Zero Trust system can have multiple factors. One way to have more than one factor is that the single WLAN-based sensing system measures more than one biometric feature.
3.3 Implementation 3: Other WLAN Information
In addition to WLAN sensing information (e.g., according to IEEE 802.11 bf), other information from WLAN systems may also contribute to a Zero Trust solution. Examples of such other information include antenna and power characteristics (a range of power of signals from the antenna, a range of frequencies of the antenna, etc.), which can provide a fingerprint of very precise manufacturing differences between individual devices. Authentication of the target object 114 (e.g., a user, an electronic device, etc.) can be based on a comparison of the foregoing information to characteristic information previously stored for the target object 114, such that a deviation of the foregoing information from the characteristic information is indicative that the target object 114 should not be authenticated (in other words, the current fingerprint based on the antenna or power characteristics does not match an expected fingerprint). In further examples, the other information can include a history of Service Set Identifier (SSID) and MAC address use and how often they change (this is another example of a fingerprint). The historical information including SSID and MAC address use (and their frequency of change) can be compared to a current SSID and MAC address use, and a deviation may indicate that the target object 114 should not be authenticated. In additional examples, the other information can include how many users use a same end point device. Historical information can be stored regarding a quantity of users that have previously used the end point device, and a current quantity of users using the end point device can be compared to the historical quantity of users-a deviation in the quantities can indicate that the target object 114 should not be authenticated.
The foregoing additional information can be used as factors in a multi-factor authentication system at a server. These can also be used as factors in an end point detection and response (EDR) system embedded within end point devices.
4. Example Systems
FIG. 4 is a block diagram of a system 400, which can be the Zero Trust system 104 (FIG. 1 ), the end point device 102, or a combination of the Zero Trust system 104 and the end point device 102.
The system 400 includes one or more hardware processors 402. A hardware processor can include a microprocessor, a core of a multi-core microprocessor, a microcontroller, a programmable integrated circuit, a programmable gate array, or another hardware processing circuit.
The system 400 further includes a non-transitory machine-readable or computer-readable storage medium 404 storing wireless sensing monitoring machine-readable instructions 406 executable on the one or more hardware processors 402 to perform various tasks. For example, the wireless sensing monitoring machine-readable instructions 406 are executable to receive information based on wireless sensing performed using wireless signals of a wireless interface of a wireless node (e.g., 108 in FIG. 1 ). The wireless interface (e.g., a radio interface, such as a WLAN radio interface, a cellular radio interface, a BLUETOOTH interface, etc.) of the wireless node communicates data over a wireless connection established with another wireless device.
The wireless sensing monitoring machine-readable instructions 406 are executable to perform authentication in response to the received information.
For example, the information includes biometric information of a user, and the authentication relates to the user based on the biometric information.
In further examples, the wireless sensing monitoring machine-readable instructions 406 are executable to store a pattern of wireless sensing information, and initiate a process to perform the authentication based on the pattern of wireless sensing information. For example, the pattern of wireless sensing information is based on a motion of a user. As another example, the pattern of wireless sensing information is based on a biometric feature (e.g., face, eyes, and/or other physical features) of a user.
Several benefits of some example implementations are set forth below. The example implementations may remove the need for a user to manually enter their credentials for electronic device use, such as when the user has been separated from the electronic device for a short time. Correspondingly, the electronic device may be able to power down when a user is not detected.
The example implementations may improve the strength of security when an electronic device is moving between different network types (e.g., wired to wireless, a cellular network to a WLAN). Additional security checks can be made when a user is entering a banking or payment application on a device.
The proposed system can be used to enable basic presence detection without additional hardware and physical design complexity to add such hardware sensors to the front of a device. The system can also be used to add more complex presence detection such as identifying a user without expensive high definition camera and other hardware. The system also enables more flexibility in the product design because the WLAN or other wireless sensing antennas can be inside the device and work regardless of device orientation, while presence sensors and cameras have to be mounted on the front of a product and pointed at the user at a specific angle.
A storage medium (e.g., 404 in FIG. 4 ) can include any or some combination of the following: a semiconductor memory device such as a dynamic or static random access memory (a DRAM or SRAM), an erasable and programmable read-only memory (EPROM), an electrically erasable and programmable read-only memory (EEPROM) and flash memory or other type of non-volatile memory device; a magnetic disk such as a fixed, floppy and removable disk; another magnetic medium including tape; an optical medium such as a compact disk (CD) or a digital video disk (DVD); or another type of storage device. Note that the instructions discussed above can be provided on one computer-readable or machine-readable storage medium, or alternatively, can be provided on multiple computer-readable or machine-readable storage media distributed in a large system having possibly plural nodes. Such computer-readable or machine-readable storage medium or media is (are) considered to be part of an article (or article of manufacture). An article or article of manufacture can refer to any manufactured single component or multiple components. The storage medium or media can be located either in the machine running the machine-readable instructions, or located at a remote site from which machine-readable instructions can be downloaded over a network for execution.
In the foregoing description, numerous details are set forth to provide an understanding of the subject disclosed herein. However, implementations may be practiced without some of these details. Other implementations may include modifications and variations from the details discussed above. It is intended that the appended claims cover such modifications and variations.

Claims (23)

What is claimed is:
1. A method of a system comprising a hardware processor, comprising:
receiving information based on wireless sensing of an object performed using wireless signals of a wireless interface of a wireless node, the wireless interface of the wireless node to communicate data of an end point device over a wireless connection established with another wireless device; and
performing authentication in response to the received information, wherein the information is based on a communication over a standardized interface between the wireless node and the end point device.
2. The method of claim 1, wherein the wireless sensing comprises one or more of:
wireless local area network (WLAN) sensing using WLAN signals,
wireless sensing using BLUETOOTH signals,
wireless sensing using ZIGBEE signals,
wireless sensing using Dedicated Short Range Communications (DSRC) signals, and
wireless sensing using cellular signals.
3. The method of claim 1, wherein the wireless node provides a plurality of roles, the plurality of roles comprising:
supporting communications between the end point device over the wireless connection with the another wireless device, and
performing the wireless sensing of the object for the authentication.
4. The method of claim 1, wherein the system is part of the end point device or is separate from the end point device.
5. The method of claim 1, wherein the standardized interface comprises an application programming interface (API).
6. The method of claim 1, further comprising:
sending, by the system, a request to perform a security check based on wireless sensing of an environment,
wherein the receiving and the performing of the authentication is in response to the request.
7. The method of claim 1, wherein the information is received based on a passive sense mode of the wireless node.
8. The method of claim 1, wherein the information comprises biometric information of a user, and the authentication relates to the user based on the biometric information.
9. The method of claim 1, further comprising:
storing a pattern of wireless sensing information; and
initiating a process to perform the authentication based on the pattern of wireless sensing information.
10. The method of claim 9, wherein the pattern of wireless sensing information is based on a motion of a user.
11. The method of claim 9, wherein the pattern of wireless sensing information is based on a biometric feature of a user.
12. The method of claim 1, further comprising:
determining, by the system based on the received information, presence of an emergency in an environment; and
in response to determining the presence of the emergency, sending, by the system, a notification of the emergency.
13. The method of claim 1, further comprising:
determining, by the system based on the received information, a health status of a user.
14. The method of claim 1, further comprising:
receiving, by the system, further information regarding antenna or power characteristics based on the wireless signals of the wireless interface of the wireless node,
wherein the authentication is further based on the further information.
15. The method of claim 1, further comprising:
determining, based on the wireless signals of the wireless interface of the wireless node, a fingerprint of the wireless node,
wherein the authentication is further based on the fingerprint.
16. The method of claim 1, further comprising:
determining, based on the wireless signals of the wireless interface of the wireless node, a quantity of users,
wherein the authentication is further based on the determined quantity of users.
17. The method of claim 1, wherein the authentication comprises Zero Trust authentication.
18. A system comprising:
a processor; and
a non-transitory storage medium storing instructions executable on the processor to:
receive information based on wireless sensing of an object performed using wireless signals of a wireless interface of a wireless node, the wireless interface of the wireless node to communicate data of an end point device over a wireless connection established with another wireless device; and
perform authentication in response to the received information, wherein the wireless node provides a plurality of roles, the plurality of roles comprising:
supporting communications between the end point device over the wireless connection with the another wireless device, and
performing the wireless sensing of the object for the authentication.
19. The system of claim 18, wherein the information comprises biometric information of a user, and the authentication relates to the user based on the biometric information.
20. The system of claim 18, wherein the instructions are executable on the processor to further:
store a pattern of wireless sensing information; and
initiate a process to perform the authentication based on the pattern of wireless sensing information.
21. The system of claim 20, wherein the pattern of wireless sensing information is based on a motion of a user.
22. The system of claim 18, wherein the wireless interface of the wireless node is to communicate data over the wireless connection established over a wireless local area network (WLAN) with the another wireless device, and the wireless sensing comprises WLAN wireless sensing using WLAN signals as radar signals.
23. A non-transitory storage medium storing instructions that upon execution cause a system to:
receive information based on wireless sensing of a target object performed using wireless signals of a wireless interface of a wireless node, the wireless interface of the wireless node to communicate of an end point device data over a wireless network established with another wireless device; and
perform authentication of the target object in response to the received information, wherein the information is based on a communication over a standardized interface between the wireless node and the end point device.
US17/446,839 2020-09-10 2021-09-03 Authentication using wireless sensing Active 2042-10-15 US12041444B2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US17/446,839 US12041444B2 (en) 2020-09-10 2021-09-03 Authentication using wireless sensing
CA3130056A CA3130056A1 (en) 2020-09-10 2021-09-07 Authentication using wireless sensing
CN202111057737.3A CN114258021A (en) 2020-09-10 2021-09-09 Authentication using wireless sensing
EP21196115.6A EP3968682A1 (en) 2020-09-10 2021-09-10 Authentication using wireless sensing
US18/757,913 US20240349051A1 (en) 2020-09-10 2024-06-28 Authentication using wireless sensing

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202063076749P 2020-09-10 2020-09-10
US17/446,839 US12041444B2 (en) 2020-09-10 2021-09-03 Authentication using wireless sensing

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US18/757,913 Continuation US20240349051A1 (en) 2020-09-10 2024-06-28 Authentication using wireless sensing

Publications (2)

Publication Number Publication Date
US20220078610A1 US20220078610A1 (en) 2022-03-10
US12041444B2 true US12041444B2 (en) 2024-07-16

Family

ID=77738921

Family Applications (2)

Application Number Title Priority Date Filing Date
US17/446,839 Active 2042-10-15 US12041444B2 (en) 2020-09-10 2021-09-03 Authentication using wireless sensing
US18/757,913 Pending US20240349051A1 (en) 2020-09-10 2024-06-28 Authentication using wireless sensing

Family Applications After (1)

Application Number Title Priority Date Filing Date
US18/757,913 Pending US20240349051A1 (en) 2020-09-10 2024-06-28 Authentication using wireless sensing

Country Status (4)

Country Link
US (2) US12041444B2 (en)
EP (1) EP3968682A1 (en)
CN (1) CN114258021A (en)
CA (1) CA3130056A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12445842B2 (en) * 2022-11-14 2025-10-14 Honeywell International Inc. Apparatuses, computer-implemented methods, and computer program products for managing access of wireless nodes to a network
US12477331B2 (en) 2023-05-17 2025-11-18 Cisco Technology, Inc. Continuous multi-factor authentication using wireless sensing data

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101730105A (en) * 2009-12-09 2010-06-09 杭州华三通信技术有限公司 Method and device for controlling user quantity connected to operational processor (AP)
US20140059347A1 (en) * 2012-08-27 2014-02-27 Optio Labs, LLC Systems and methods for restricting access to network resources via in-location access point protocol
US20150035643A1 (en) * 2013-08-02 2015-02-05 Jpmorgan Chase Bank, N.A. Biometrics identification module and personal wearable electronics network based authentication and transaction processing
US20150349810A1 (en) 2014-06-02 2015-12-03 Bastille Networks, Inc. Cross-modality electromagnetic signature analysis for radio frequency persona identification
US9852600B1 (en) * 2016-10-20 2017-12-26 Ion Co., Ltd. Safety monitoring system using intelligent walking stick
US20180288035A1 (en) * 2017-03-30 2018-10-04 Avaya Inc. Device enrollment service system and method
US20200053096A1 (en) * 2018-08-09 2020-02-13 Cyberark Software Ltd. Adaptive and dynamic access control techniques for securely communicating devices
JP6689501B2 (en) * 2015-09-10 2020-04-28 株式会社ハンマーバード Health information management system
US20200221262A1 (en) * 2019-01-08 2020-07-09 Blackberry Limited Controlling transmission of group-addressed data
US20200252800A1 (en) * 2019-02-04 2020-08-06 802 Secure, Inc. Zero Trust Wireless Monitoring - System and Method for Behavior Based Monitoring of Radio Frequency Environments
US20210111990A1 (en) * 2019-10-14 2021-04-15 Cisco Technology, Inc. Systems and methods for providing multiple disjointed paths to core network at first-mile access
US20210136569A1 (en) * 2019-11-05 2021-05-06 T-Mobile Usa, Inc. Wireless carrier network-enabled protection of high value data
US11043051B2 (en) * 2016-12-22 2021-06-22 Automatic Technology (Australia) Pty Ltd Method, system and software product for providing temporary access to an area controlled by network-connected endpoint devices
US20220078191A1 (en) * 2020-09-08 2022-03-10 Arris Enterprises Llc Wi-fi multiple access point - biometric based improvements

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101959191B (en) * 2010-09-25 2012-12-26 华中科技大学 Safety authentication method and system for wireless network
KR101359659B1 (en) * 2012-08-09 2014-02-06 숭실대학교산학협력단 Management server for managing wireless sensing device, and management method thereof
US20150242605A1 (en) * 2014-02-23 2015-08-27 Qualcomm Incorporated Continuous authentication with a mobile device
KR102080747B1 (en) * 2014-03-28 2020-02-24 엘지전자 주식회사 Mobile terminal and control method thereof
US10725161B2 (en) * 2017-12-15 2020-07-28 Google Llc Seamless authentication using radar
CN108696865B (en) * 2018-04-24 2021-02-02 西南科技大学 Wireless sensor network node security authentication method
US11075778B2 (en) * 2019-09-26 2021-07-27 Intel Corporation Apparatus, system and method of wireless sensing

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101730105A (en) * 2009-12-09 2010-06-09 杭州华三通信技术有限公司 Method and device for controlling user quantity connected to operational processor (AP)
US20140059347A1 (en) * 2012-08-27 2014-02-27 Optio Labs, LLC Systems and methods for restricting access to network resources via in-location access point protocol
US20150035643A1 (en) * 2013-08-02 2015-02-05 Jpmorgan Chase Bank, N.A. Biometrics identification module and personal wearable electronics network based authentication and transaction processing
US20150349810A1 (en) 2014-06-02 2015-12-03 Bastille Networks, Inc. Cross-modality electromagnetic signature analysis for radio frequency persona identification
JP6689501B2 (en) * 2015-09-10 2020-04-28 株式会社ハンマーバード Health information management system
US9852600B1 (en) * 2016-10-20 2017-12-26 Ion Co., Ltd. Safety monitoring system using intelligent walking stick
US11043051B2 (en) * 2016-12-22 2021-06-22 Automatic Technology (Australia) Pty Ltd Method, system and software product for providing temporary access to an area controlled by network-connected endpoint devices
US20180288035A1 (en) * 2017-03-30 2018-10-04 Avaya Inc. Device enrollment service system and method
US20200053096A1 (en) * 2018-08-09 2020-02-13 Cyberark Software Ltd. Adaptive and dynamic access control techniques for securely communicating devices
US20200221262A1 (en) * 2019-01-08 2020-07-09 Blackberry Limited Controlling transmission of group-addressed data
US20200252800A1 (en) * 2019-02-04 2020-08-06 802 Secure, Inc. Zero Trust Wireless Monitoring - System and Method for Behavior Based Monitoring of Radio Frequency Environments
US20210111990A1 (en) * 2019-10-14 2021-04-15 Cisco Technology, Inc. Systems and methods for providing multiple disjointed paths to core network at first-mile access
US20210136569A1 (en) * 2019-11-05 2021-05-06 T-Mobile Usa, Inc. Wireless carrier network-enabled protection of high value data
US20220078191A1 (en) * 2020-09-08 2022-03-10 Arris Enterprises Llc Wi-fi multiple access point - biometric based improvements

Non-Patent Citations (11)

* Cited by examiner, † Cited by third party
Title
Alper Kerman et al., National Institute of Stndards and Technology, Implementing a Zero Trust Architecture, Mar. 2020 (20 pages).
Canadian Patent Office, Office Action for Appl. No. 3,130,056 dated Oct. 31, 2023 (5 pages).
CBC Radio, Quirks & Quarks, Your Wi-Fi router could be used to watch you breathe and monitor your heatbeat, Jun. 21, 2019 (7 pages).
Claudio Da Silva, IEEE 802.11-19/2103r9, Wireless LANs, 802.11 SENS SG Proposed PAR, Mar. 30, 2020 (4 pages).
Colonel Darcy Saint-Amant, Defence Information Systems Agency, Zero Trust Strategy, Nov. 13, 2019 (6 pages).
Dean Takashi, Dell's Latitude 7400 2-in-1 laptop sensesyour presence and wakes itself, Jan. 4, 2019 (6 pages).
Debashi Dash et al., IEEE 802.11-19/1769, CSI-based Wi-Fi Sensing: Results and Standardization Challenges, Oct. 30, 2019 (10 pages).
Dinesh Dharadia et al., IEEE 802.11-19/1987, CSI-based Context-Assisted Indoor Localization, Nov. 2019 (14 pages).
European Patent Office, Extended European Search Report for Appl. No. 21196115.6 dated Jan. 27, 2022 (8 pages).
National Cybersecurity Center of Excellence, Zero Trust Architecture downloaded Sep. 8, 2020 (4 pages).
Waddell, Kaveh, Technology, All the Ways Your Wi-Fi Router Can Spy on You, Aug. 24, 2016 (8 pages).

Also Published As

Publication number Publication date
EP3968682A1 (en) 2022-03-16
US20240349051A1 (en) 2024-10-17
CA3130056A1 (en) 2022-03-10
CN114258021A (en) 2022-03-29
US20220078610A1 (en) 2022-03-10

Similar Documents

Publication Publication Date Title
US11409881B2 (en) Method and apparatus for wireless signal based location security system
US11347833B2 (en) Method and apparatus for optimized access of security credentials via mobile edge-computing systems
US20240349051A1 (en) Authentication using wireless sensing
EP3839774B1 (en) Continuous authentication system and related methods
US10097529B2 (en) Semiconductor device for controlling access right to server of internet of things device and method of operating the same
US9420464B2 (en) Technologies for controlling network access based on electronic device communication fingerprints
US9280890B2 (en) Security system access detection
US10686793B2 (en) Integrated biometrics for application security
US20080282327A1 (en) Network authorization status notification
US20190073846A1 (en) Access Control Reader for Secure Handsfree Access with Mobile Devices
US20180077174A1 (en) Intrusion Detection and Response System
US20210185528A1 (en) Method for identifying terminal device and communications apparatus
EP3729848B1 (en) Methods to enable context aware authorization for data or services in the iot/m2m service layer
US10061933B1 (en) System and method for controlling the power states of a mobile computing device
KR102178305B1 (en) Security system for controlling IoT network access
US20220408263A1 (en) Access control system and method
KR101837289B1 (en) Trust evaluation model and system in iot
CN109872424A (en) A kind of unlocking method, device, electronic equipment and storage medium
US20180077576A1 (en) Systems, methods and computer-readable storage media facilitating access point management via secure association of an access point and a mobile device
EP4052498B1 (en) Method for providing iot devices access to restricted access information
HK40070406A (en) Authentication using wireless sensing
US11316890B2 (en) Network denial of service defense method and system
WO2025264159A1 (en) Authorization of user equipment and authentication of user
Valiev Automatic ownership change detection for IoT devices
KR20240166310A (en) Method and apparatus for logical access over uwb communication

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

AS Assignment

Owner name: BLACKBERRY LIMITED, ONTARIO

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BLACKBERRY UK LIMITED;REEL/FRAME:058937/0941

Effective date: 20220209

AS Assignment

Owner name: BLACKBERRY LIMITED, CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MONTEMURRO, MICHAEL PETER;LEPP, JAMES RANDOLPH WINTER;SIGNING DATES FROM 20220124 TO 20220125;REEL/FRAME:058970/0266

Owner name: BLACKBERRY UK LIMITED, UNITED KINGDOM

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MCCANN, STEPHEN;REEL/FRAME:058970/0210

Effective date: 20220124

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE